Privacy Policy

Purpose and scope of the Privacy Policy

This Privacy Policy is intended to help you understand our practices concerning the collection, use, disclosure and retention of Personal Information. By providing us with Personal Information, whether through our website or secure portal, by email, in person or by telephone, you are giving your consent to the processing of your Personal Information as described in this Privacy Policy. You authorize ArcelorMittal Long Products Canada (AMLPC) and its third parties and service providers to process your Personal Information for the purposes below.

This Policy applies to all directors, officers and employees of AMLPC and any third party acting on behalf of AMLPC concerning:

  • All Personal Information processed in Quebec by AMLPC or one of its subsidiaries, including by employees, customers, contractors, local stakeholders, consultants and business partners;
  • All Personal Information processed outside Quebec for and on behalf of AMLPC or one of its subsidiaries, then transferred or made available, including Personal Information concerning employees, customers, contractors, local actors, consultants, partners and suppliers;
  • Any Personal Information Processing activity conducted by a subsidiary outside Quebec offering goods or services or processing Personal Information of Concerned Persons located in Quebec.

This Policy applies to Personal Information Processing, whether it is automated or electronic in whole or in part, and to Processing using other automated means such as filing systems or intended to form part of a filing system (e.g., paper filing cabinets, storage cabinets, etc.).

This Policy does not cover:

  • Anonymized information: This refers to data that has undergone a process of anonymization, rendering individuals unidentifiable, either directly or indirectly.
  • Data Processing by Subsidiaries located outside Quebec whose activities are not related to (i) the operations of AMLPC or one of its Quebec-based subsidiaries or (ii) Concerned Persons located in Quebec, to whom goods or services are offered and whose Personal Information is processed within Quebec.

This Policy is subject to the laws governing the protection of Personal Information in force in Quebec and is aligned with ArcelorMittal’s Binding Corporate Rules. To read ArcelorMittal’s Privacy Policy, click this link https://corporate.arcelormittal.com/corporate-library/privacy-policy.

AMLPC’s board of directors and management are dedicated to full compliance with all local and international laws regarding Personal Information and the safeguarding of individuals’ rights and freedoms in the Processing of their Personal Information. In pursuit of this commitment, AMLPC has established and will continually maintain, enhance, and support a Privacy Management Framework, accompanied by other privacy and data protection policies.
The Privacy Management Framework is intended to ensure the protection and fair Processing of Personal Information to achieve the following objectives:

  • Meet AMLPC’s corporate requirements for managing personal information;
  • Support organizational goals and obligations;
  • Implement controls per an acceptable risk level for AMLPC;
  • Ensure adherence to statutory, regulatory and contractual provisions, as well as professional obligations;
  • Safeguard the interests of individuals and stakeholders.

Stewardship of AMLPC’s Privacy Policy

The stewardship of AMLPC’s Privacy Policy falls under the purview of AMLPC’s corporate Legal and Information Technology departments, which are entrusted with its implementation.

AMLPC and its directors, officers and employees must comply with this Policy.

In alignment with this commitment, all members of AMLPC’s personnel:

  • Receive support from senior management in the execution of their responsibilities and report directly to the upper echelons of ArcelorMittal’s leadership.
  • Collaborate closely with the Legal department, which is tasked with investigating, monitoring and auditing to ensure compliance with this Policy. The Legal department coordinates all necessary measures to secure compliance across various business units with the obligations under this Privacy Policy.

Definitions relevant to the protection of Personal Information

Sensitivity Classification” refers to the procedure by which a public body evaluates the sensitivity of its information to determine the level of protection required to address potential risks to availability, integrity, and confidentiality.

Consent” means any freely given, specific, informed and unambiguous indication of a natural person’s wishes by which they, by a statement or clear affirmative action, signify agreement to the Processing of their personal data.

Recipients” refers to natural or legal persons, public authorities, agencies or any bodies that receive data, whether as third parties or otherwise. However, public authorities which may receive data as part of a particular investigation are not considered Recipients.

Subsidiaries” means any company or legal entity that is entirely consolidated and under the control of AMLPC. The term “control” means the direct or indirect possession of the authority to manage and dictate the policies of a business or legal entity. This control can be established through ownership of voting securities, contractual agreements, or other means.

Confidentiality Incident” entails access, use or disclosure not authorized by law of Personal Information, the loss of Personal Information or any other breach that compromises the protection of such information.

Persons Concerned” means any natural person whose Personal Information is processed as part of a process within the scope of this Policy.
Anonymized Information” means information that has been irreversibly and permanently modified, making it reasonably foreseeable, under the given circumstances, that it can no longer be employed to identify the Person Concerned, either directly or indirectly.
The terms “irreversibly” and “irreversible” entail that, at the time of anonymization and in the foreseeable future, there should be no possibility of identifying the Person Concerned, whether directly or indirectly.

The assessment of whether anonymization is irreversible must consider various factors:

  • Reasonably foreseeable technological advancements;
  • The quantity and nature of the information involved;
  • The potential connections with other information that is publicly available or held (or reasonably expected to be held) by the organization.

De-identified Information” means information that can no longer be used to identify the Person Concerned directly.

The de-identification process involves the removal of all directly identifying information, such as names, home addresses, or personal identification numbers, often replaced by codes.

It should be noted that De-identified Information is still considered Personal Information as it could potentially enable indirect identification of the Person Concerned.

Personal Information” means any information relating to an identified or identifiable natural person. An identifiable person may be directly or indirectly determined, particularly through an identification number or specific factors related to the individual’s physical, physiological, mental, economic, cultural or social identity.

Sensitive Personal Information” or “Sensitive Data” means data that, due to its nature, such as medical, biometric, or other highly personal details, or the context in which it is used or disclosed, gives rise to a substantial and reasonable expectation of privacy. Examples include medical records, biometric or genetic data, financial information, as well as details about a person’s life, sexual orientation, religious beliefs or ethnic background.

Some information becomes sensitive based on the context of its use or disclosure. The particular circumstances of such use or disclosure must be evaluated in light of the substantial yet reasonable expectation of privacy. To determine the sensitivity of such Personal Information, the expectation of privacy of the Person Concerned must be assessed. The proper test is whether a reasonable and well-informed person, placed in the same situation as the Person Concerned, would have a high expectation of privacy.

Processing” means any operation or series of operations executed on Personal Information or sets of personal data, whether or not by automated means. These operations include data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure via transmission, dissemination or other means of access, alignment or combination, restriction, erasure or destruction.

Processor” refers to a legal entity that processes Personal Information on behalf of the controller. The term “Processor” has the same meaning as “service provider.”

Breach Involving Personal Information” refers to any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Information that is transmitted, stored or otherwise processed.

 

What Personal Information we collect and how we collect it

We collect the Personal Information in the following ways:

  • In the course of our business relationship with customers and suppliers/providers;
  • Job applications within our organization;
  • We also collect information from publicly available sources, such as public and social media platforms, and our website.

When you visit our website, use our secure portal or communicate with us, we collect Personal Information about you.

We may also collect and process various types of Personal Information that is relevant to our business activities, including:

  • Information establishing your identity, such as your first and last name;
  • Contact information, such as names, addresses, emails and phone numbers;
  • Biographical data like job titles, names of employers and visual or audio content, such as photos and videos;
  • Information relating to marketing and communication preferences, as well as related data such as comments and survey responses;
  • Billing and financial information, such as billing addresses, bank account information or payment details;
  • Service-related information, such as details of services we have provided (e.g., during relocations);
  • Information obtained during recruitment processes, such as CVs, education and employment history, professional affiliations and other information that may be relevant to potential recruitment by or association with AMLPC;
  • Website usage and other technical data, including website visit details, interactions with our advertising and online content and information collected through the use of cookies and other tracking technologies;
  • Information provided to us either directly or on behalf of our customers, or generated by us during our business activities;
  • Any other personal information provided. If you provide us with Personal Information about other individuals, such as your customers, directors, officers, shareholders or beneficial owners, you must ensure that you have notified them that you are sharing their information. Furthermore, you must confirm that you have obtained their consent for such disclosure. In cases where consent is required to process Personal Information, we may also request evidence of the consent, including the date, time, and means through which it was obtained.

AMLPC employees are obligated to process Personal Information per specific legal criteria, which are assessed based on one or more of the following six legal bases or grounds:

  • Performance of a contract;
  • Compliance with a legal duty;
  • Protection of the interests of a Person Concerned;
  • Execution of a task conducted in the public interest or the exercise of official authority;
  • Pursuit of the legitimate interests of AMLPC or a third party;
  • Consent provided by the Person Concerned.

Should AMLPC opt to process Personal Information based on consent, such consent must be:

  • Unambiguous;
  • Freely given;
  • Specific;
  • Informed.

Sharing of Personal Information

We may share your Personal Information with our customers and partners. We may also disclose it to fulfill legal obligations or to enforce our rights.

AMLPC is the world’s leading steel company and part of the ArcelorMittal S.A. group, with subsidiaries in multiple countries. We may also share Personal Information with specific third parties, including the following:

  • Third-party service providers and partners who provide us with website support, application development, hosting, maintenance and other services. These third parties may access or process Personal Information to provide these services. We limit the information we share to that which is reasonably necessary for these service providers to carry out their duties. Our agreements with these service providers mandate the maintenance of the confidentiality of such information.
  • In compliance with applicable laws, we may disclose personal and other information to government authorities and law enforcement agencies if required. This includes situations where disclosure is necessary to adhere to tax or other legal requirements, respond to court orders, subpoenas, government search warrants, or cooperate with government authorities and law enforcement agencies in good faith.
  • In connection with mergers, acquisitions, debt financing, asset sales, or similar transactions, and instances of insolvency, bankruptcy, or receivership, Personal Information may be disclosed to a purchaser, successor or assignee or transferred as a business asset to one or more third parties.
  • We use Personal Information solely for its original intended purpose or other purposes consistent with that primary purpose.

AMLPC ensures that Personal Information is disclosed to authorized third parties only. All employees exercise utmost care when disclosing Personal Information to third parties. They carefully evaluate whether such disclosure is pertinent and necessary to AMLPC’s business operations. Below are authorized circumstances in which disclosure to third parties is permitted:

  • To facilitate transactions for the purchase of goods or services;
  • To maintain national security;
  • To prevent or detect crimes, including facilitating the arrest or prosecution of offenders;
  • To assess or collect taxes;
  • To fulfill legal obligations, including those related to health, safety, and welfare at work;
  • To protect the fundamental interests of the Persons Concerned, especially in life-threatening situations.

Rules governing the Processing of Personal Information

The Processing of Personal Information adheres to the following legal principles:

Lawfulness, fairness and transparency

The Personal Information of Persons Concerned is handled in a lawful, fair, and transparent manner.

Lawfulness of Processing

Processing Personal Information is considered lawful when grounded in at least one of the grounds below.

Loyalty

AMLPC is obligated to process Personal Information fairly. This entails:

  • Processing the Personal Information of the Person Concerned for the operation(s) transparently and by their reasonable expectations.
  • Using the data in a manner that avoids any detrimental impact on the Person Concerned.

Transparency

Persons Concerned are provided with information regarding how their Personal Information is processed. Generally, Personal Information is directly collected from the Persons Concerned, and they are informed about the purpose of the data Processing during collection.

Legitimate purpose

Personal Information is collected for legitimate purposes. These purposes must adhere to all data protection laws and other applicable regulations, including employment and contract laws. The legitimate purpose must be lawful, reasonable, and aligned with the reasonable expectations of the Person Concerned.

Data minimization

The data minimization principle is intrinsically linked to the purpose of Processing Personal Information: only the essential Personal Information may be processed to achieve the intended purpose for which it was collected.

In processing Personal Information, it must meet the following criteria:

  • Adequate (sufficient data);

 

  • Relevant (necessary to achieve the purpose);
  • Limited to what is strictly necessary to achieve the purpose.

 

Accuracy

Personal Information processed by AMLPC must be accurate and up to date. To enhance accuracy, AMLPC collects Personal Information directly from the Person Concerned whenever possible.

Integrity and confidentiality

Personal Information is processed in a manner that ensures its integrity, and measures are taken to safeguard its integrity throughout the project or process lifecycle.

As part of maintaining confidentiality, Personal Information is made accessible only to individuals with a legitimate need for it in connection with the Processing, adhering to the “need-to-know” principle. ArcelorMittal ensures that Personal Information is processed solely by authorized personnel on authorized equipment.

 

Legal basis for Processing Sensitive Personal Information

AMLPC processes Sensitive Personal Information on specific legal grounds, including:

  • The Person Concerned has given explicit consent.
  • AMLPC is required to fulfill legal obligations, such as in litigation before a court or for social security compliance.

The Processing of Personal Information is prohibited except in the following situations:

  • When the Person Concerned explicitly consents to the Processing of Sensitive Data, unless prohibited by applicable law.
  • When Processing is necessary to fulfill the controller’s obligations and exercise specific rights in employment, social security, and social protection law. This is permitted by national legislation with safeguards for the rights and interests of the Persons Concerned (e.g., anti-discrimination measures).
  • When Processing is necessary to protect the vital interests of the Person Concerned or of another person where the Person Concerned is physically or legally incapable of giving consent.
  • When Processing involves Sensitive Data that the Person Concerned has manifestly made public.
  • When Processing is required to establish, exercise or defend legal claims, or when courts are acting in their judicial capacity.
  • When Processing Sensitive Data is necessary for preventive or occupational medicine, assessing employee working capacity, medical diagnosis, providing care, treatment, or managing health services. This applies when such data is processed by a health professional bound by professional secrecy or an equivalent duty of confidentiality. Sensitive Data may only be processed for these purposes by professionals subject to professional secrecy obligations.

Responsibility for the lawful Processing and storage of Sensitive Data and compliance with confidentiality and professional secrecy rules and regulations lies with AMLPC employees in the relevant departments.

 

Individual rights regarding Personal Information

Persons concerned have several rights concerning their Personal Information. Under applicable data protection laws, individuals can exercise the following rights under specific circumstances:

  • Right of access: Individuals can inquire whether we are processing their information, and if so, they can request access to their Personal Information. Subject to applicable law and, if relevant, the payment of a fee, individuals can obtain a copy of their Personal Information in a structured, commonly used, and machine-readable format.
  • Right to accuracy: We must take reasonable measures to ensure that the Personal Information we hold is accurate, complete, not misleading and up to date.
  • Right to rectification: Individuals are entitled to request the correction of their Personal Information when they believe there is an error or omission.
  • Right to object: Individuals have the right to restrict, cease, prevent or object to the Processing of their Personal Information. They may also request the erasure of their Personal Information.

How we store and protect Personal Information

AMLPC implements all necessary technical and organizational measures to safeguard Personal Information. Our practices align with widely accepted industry standards, ensuring the protection of information submitted to us. We maintain physical, technical, and administrative safeguards, protecting Personal Information against accidental loss or destruction, unauthorized access, alteration or disclosure, misuse and unlawful Processing.

Every employee bears responsibility for securely maintaining Personal Information. Disclosure to third parties only occurs with explicit AMLPC authorization, following data processing agreements and per the guidelines on data transfer to third parties.

Access to Personal Information is restricted to those who need it, adhering to established policies and procedures. Personal Information in non-electronic formats (e.g., printed or handwritten documents) is accessible solely by authorized personnel, requiring written authorization for removal from AMLPC premises.

Personal Information is retained only for necessary periods and Processing must comply with legal records retention requirements. An audit trail facilitates the tracking of Personal Information, and such Personal Information is either destroyed or archived after the specified retention period.

Once the purpose or legal basis for Processing expires, we no longer retain Personal Information unless required by law. Retention periods may vary based on the type of information. We will keep personal information only as long as necessary for the purposes set out in this Privacy Policy and to comply with our statutory obligations.

In partnerships with third-party customers and suppliers, we ensure the security of Personal Information before, during and after the business relationship. Our contracts and terms and conditions include specific clauses for Personal Information protection.

We diligently uphold all legally permissible measures for your protection. Nevertheless, breaches of our safeguards may lead to unauthorized access, disclosure, alteration, or destruction of Personal Information. If you suspect a breach of Personal Information, please get in touch with us (see “To contact us” below for contact information).

 

To contact us

Should you have any inquiries or feedback regarding this Privacy Policy, if you wish to exercise your rights, file a complaint or get further information about our policies and practices, please contact our Privacy Officer. You can do so by visiting our Contact Us page or by sending mail to our address:

ArcelorMittal Long Products Canada
Headquarters | 4000 Route des Aciéries
Contrecœur, QC J0L 1C0